I work for a small outdoor retailer where I'm lucky enough to build internal web apps that benefit different departments.

We recently updated my Web Servers that are set up on the intranet, not for public use. I updated to XAMPP 5.6.8.

We have a company that scans our systems to make sure we are compliant, PCI and otherwise. This company keeps telling us my internal web server has vulnerabilities, specifically with openssl and needing a "server certificate signed with a public key length of at least 2048 bits".

- Stop Apache- Rename the apache folder in xampp to apache.old- Download zip: http://www.apachelounge.com/download/VC11/binaries/httpd-2.4.12-win32-VC11.zip- Copy the Apache24 directory from the zip to xampp and rename it to apache- delete apache\config and copy apache.old\config to apache\- copy libssh2.dll from apache.old\bin\ to apache\bin\- Restart Apache- Optionally copy the batch-files from old to new (they are not needed for the operation of Apache)

Of course you still have to generate new Certificates to pass your compliance check.

Follow the instructions carefully in the readme.1st.txt file, especially about backing up the files you will be replacing first!

You do not have to worry about the apr_crypto_openssl.dll file since it was not included in your Xampp.

This particular CVE you have pointed out is simply a DOS, rated Moderate, it'll crash Apache. There seems to be no remote code execution exploitable vector. There are probably bigger fish to fry in your ssl config (< 2048 bit key, disabling SSLv3, not using old CBC ciphers, etc.). 1.0.1m removed all Export ciphers, SSLv2 was disabled long ago in Apache 2.4 so that's a plus.

I can't believe they are nagging you on an internal only, non-internet facing development computer. Sounds like security theater.